eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Make valkey local on ringtail (nix amd64) + bump to 8.1.7 (#362)

Browse source 
## Summary

Weekly "make one non-local container local" pickup: immich-ringtail still pulled `docker.io/valkey/valkey:8.1.6` because the existing `containers/valkey/container.py` build was arm64-only.

- Adds `containers/valkey/default.nix` — nix-built amd64 valkey image, packaged by the ringtail nix-container-builder runner using `pkgs.dockerTools.buildLayeredImage`. Mirrors the existing `containers/authentik-redis/default.nix` pattern.
- `containers/valkey/container.py` keeps building the Alpine arm64 image for paperless on indri. Bumped both builds to upstream valkey 8.1.7 (Alpine 3.22 now ships `8.1.7-r0`; nixpkgs has 8.1.7).
- Splits `VERSION` (upstream app) from `ALPINE_PIN` (apk pin) in `container.py` so both build files can declare the same upstream version and pass `container-version-check`.
- Updates `service-versions.yaml`: current-version 8.1.7, refreshed last-reviewed, upstream-source now points at the canonical valkey-io releases page.
- Switches kustomizations:
  - `immich-ringtail/kustomization.yaml`: `docker.io/valkey/valkey:8.1.6` → `registry.ops.eblu.me/blumeops/valkey:v8.1.7-02859c5-nix`, comment updated.
  - `paperless/kustomization.yaml`: `v8.1.6-r0-fabca04` → `v8.1.7-02859c5`.

## Build

build-container run #563 — both jobs succeeded after a transient runner crash on the first dispatch (#562 build-nix), which surfaced two separate bugs that landed in a separate C0 on main:

- `runner-logs` silently returned 0 with no output when the log file didn't exist on indri
- `ssh indri` swallowing remote exit codes (fish login shell), which the wrapper now works around via a stdout marker

## Test plan

- [ ] `argocd app set immich-ringtail --revision valkey-nix && argocd app sync immich-ringtail`
- [ ] `argocd app set paperless --revision valkey-nix && argocd app sync paperless`
- [ ] Both valkey pods come Ready and start serving on :6379
- [ ] Immich app + paperless can read/write their respective cache
- [ ] After merge: rebuild from squashed main commit + update kustomization tags (squash-tag follow-up)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #362
This commit is contained in:
Erich Blume 2026-05-28 14:51:09 -07:00
commit ecded30073
6 changed files with 53 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

9
argocd/manifests/immich-ringtail/kustomization.yaml
View file

@ -21,8 +21,9 @@ images:
- name: ghcr.io/immich-app/immich-machine-learning - name: ghcr.io/immich-app/immich-machine-learning
# CUDA variant of the same release — ringtail has an RTX 4080 # CUDA variant of the same release — ringtail has an RTX 4080
newTag: v2.6.3-cuda newTag: v2.6.3-cuda
# Using upstream multi-arch valkey image directly; the # amd64 valkey built via nix on the ringtail nix-container-builder
# registry.ops.eblu.me/blumeops/valkey mirror is arm64-only (built # (see containers/valkey/default.nix). The Alpine container.py build
# on indri) and would crashloop on ringtail. # is arm64-only and serves paperless on indri.
- name: docker.io/valkey/valkey - name: docker.io/valkey/valkey
newTag: "8.1.6" newName: registry.ops.eblu.me/blumeops/valkey
newTag: v8.1.7-02859c5-nix

2
argocd/manifests/paperless/kustomization.yaml
View file

@ -16,4 +16,4 @@ images:
newTag: v2.20.13-07f52e9 newTag: v2.20.13-07f52e9
- name: docker.io/library/redis - name: docker.io/library/redis
newName: registry.ops.eblu.me/blumeops/valkey newName: registry.ops.eblu.me/blumeops/valkey
newTag: v8.1.6-r0-fabca04 newTag: v8.1.7-02859c5

15
containers/valkey/container.py
View file

@ -1,8 +1,8 @@
"""Valkey — native Dagger build. """Valkey — native Dagger build (arm64, indri).
Alpine 3.22 base with the `valkey` apk package (8.1.x Redis-compatible). Alpine 3.22 base with the `valkey` apk package (8.1.x Redis-compatible).
Mirrors `docker.io/valkey/valkey:8.1-alpine`, used by paperless and immich Used by paperless (sidecar) on indri. immich on ringtail uses the
as a cache/queue sidecar. nix-built amd64 variant from `default.nix` in this directory.
""" """
import dagger import dagger
@ -10,9 +10,10 @@ from dagger import dag
from blumeops.containers import oci_labels from blumeops.containers import oci_labels
# Alpine 3.22 ships valkey 8.1.6-r0. Alpine 3.23 jumps to 9.0 — hold on 3.22 # Alpine 3.22 currently ships valkey 8.1.7-r0. Alpine 3.23 jumps to 9.0 —
# to keep this a 1:1 swap for the upstream `valkey:8.1-alpine` image. # hold on 3.22 to keep this aligned with the 8.1 line.
VERSION = "8.1.6-r0" VERSION = "8.1.7"
ALPINE_PIN = "8.1.7-r0"
ALPINE_BASE = "alpine:3.22" ALPINE_BASE = "alpine:3.22"
@ -21,7 +22,7 @@ async def build(src: dagger.Directory) -> dagger.Container:
ctr = ( ctr = (
dag.container() dag.container()
.from_(ALPINE_BASE) .from_(ALPINE_BASE)
.with_exec(["apk", "add", "--no-cache", f"valkey={VERSION}"]) .with_exec(["apk", "add", "--no-cache", f"valkey={ALPINE_PIN}"])
.with_exec(["mkdir", "-p", "/data"]) .with_exec(["mkdir", "-p", "/data"])
.with_exec(["chown", "valkey:valkey", "/data"]) .with_exec(["chown", "valkey:valkey", "/data"])
.with_workdir("/data") .with_workdir("/data")

30
containers/valkey/default.nix Normal file
View file

@ -0,0 +1,30 @@
# Nix-built Valkey for ringtail (amd64)
# Companion to container.py (Alpine 3.22, arm64 on indri).
# Used by immich-ringtail which needs an amd64 image; paperless on indri
# continues to use the Alpine container.py build.
#
# The version assertion ensures nix-build fails if a flake.lock update
# changes the Valkey version — forcing an explicit version acknowledgment
# here and in service-versions.yaml (enforced by container-version-check).
{ pkgs ? import <nixpkgs> { } }:
let
version = "8.1.7";
in
assert pkgs.valkey.version == version;
pkgs.dockerTools.buildLayeredImage {
name = "blumeops/valkey";
contents = [
pkgs.valkey
];
config = {
Entrypoint = [ "${pkgs.valkey}/bin/valkey-server" ];
Cmd = [ "--bind" "0.0.0.0" "--protected-mode" "no" "--dir" "/data" ];
ExposedPorts = {
"6379/tcp" = { };
};
};
}

1
docs/changelog.d/valkey-nix.infra.md Normal file
View file

@ -0,0 +1 @@
Add nix-built amd64 valkey for ringtail (`containers/valkey/default.nix`) so immich-ringtail can stop pulling the upstream multi-arch `docker.io/valkey/valkey` image. Existing `container.py` continues to build Alpine arm64 for paperless on indri. Both bump to valkey 8.1.7 (Alpine 3.22 8.1.7-r0 / nixpkgs 8.1.7).

15
service-versions.yaml
View file

@ -146,14 +146,15 @@ services:
- name: valkey - name: valkey
type: argocd type: argocd
last-reviewed: 2026-05-01 last-reviewed: 2026-05-28
current-version: "8.1.6-r0" current-version: "8.1.7"
upstream-source: https://pkgs.alpinelinux.org/package/v3.22/community/aarch64/valkey upstream-source: https://github.com/valkey-io/valkey/releases
notes: >- notes: >-
Shared Alpine-built valkey image, used as a sidecar/cache by paperless Dual-build valkey image: container.py builds Alpine 3.22 + apk valkey
(sidecar) and immich (separate Deployment). Mirrors the upstream (arm64, indri) for paperless; default.nix builds via nixpkgs (amd64,
docker.io/valkey/valkey:8.1-alpine. Pinned to Alpine 3.22 for valkey 8.1.x; ringtail) for immich-ringtail. Both track upstream valkey 8.1.x; Alpine
Alpine 3.23 jumps to 9.0. Distinct from authentik-redis (nix-built Redis 3.22 currently ships 8.1.7-r0 and nixpkgs valkey is 8.1.7. Alpine 3.23
jumps to 9.0. Distinct from authentik-redis (nix-built Redis
8.x) which has its own entry. 8.x) which has its own entry.
- name: external-secrets - name: external-secrets